V8.13.384.2025.11.06
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m6s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m6s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -220,8 +220,8 @@ if [[ -f /root/.architecture ]]; then
|
||||
fi
|
||||
|
||||
|
||||
mkdir -p /root/.ciss/dlb/{backup,log,private_keys}
|
||||
chmod 0700 /root/.ciss/dlb/{backup,log,private_keys}
|
||||
mkdir -p /root/.ciss/cdlb/{backup,log,private_keys}
|
||||
chmod 0700 /root/.ciss/cdlb/{backup,log,private_keys}
|
||||
|
||||
mkdir -p /root/git
|
||||
chmod 0700 /root/git
|
||||
|
||||
@@ -25,8 +25,8 @@ fi
|
||||
cd /root
|
||||
|
||||
# shellcheck disable=SC2312
|
||||
cp /etc/shadow /root/.ciss/dlb/backup/shadow.bak."$(date +%F_%T)"
|
||||
chmod 0600 /root/.ciss/dlb/backup/shadow.bak.*
|
||||
cp /etc/shadow /root/.ciss/cdlb/backup/shadow.bak."$(date +%F_%T)"
|
||||
chmod 0600 /root/.ciss/cdlb/backup/shadow.bak.*
|
||||
|
||||
declare hashed_pwd
|
||||
declare safe_hashed_pwd
|
||||
|
||||
@@ -13,8 +13,8 @@ set -Ceuo pipefail
|
||||
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
|
||||
|
||||
mv /etc/hostname /root/.ciss/dlb/backup/hostname.bak
|
||||
mv /etc/mailname /root/.ciss/dlb/backup/mailname.bak
|
||||
mv /etc/hostname /root/.ciss/cdlb/backup/hostname.bak
|
||||
mv /etc/mailname /root/.ciss/cdlb/backup/mailname.bak
|
||||
|
||||
cat << 'EOF' >| /etc/hostname
|
||||
live.local
|
||||
|
||||
@@ -23,8 +23,8 @@ apt-get install -y adjtimex chrony tzdata
|
||||
|
||||
systemctl enable chrony.service
|
||||
|
||||
mv /etc/chrony/chrony.conf /root/.ciss/dlb/backup/chrony.conf.bak
|
||||
chmod 0644 /root/.ciss/dlb/backup/chrony.conf.bak
|
||||
mv /etc/chrony/chrony.conf /root/.ciss/cdlb/backup/chrony.conf.bak
|
||||
chmod 0644 /root/.ciss/cdlb/backup/chrony.conf.bak
|
||||
|
||||
cat << EOF >| /etc/chrony/chrony.conf
|
||||
# SPDX-Version: 3.0
|
||||
|
||||
@@ -40,26 +40,14 @@ cosign verify-blob "sops-${SOPS_VER}.checksums.txt" \
|
||||
sha256sum -c "sops-${SOPS_VER}.checksums.txt" --ignore-missing
|
||||
|
||||
install -m 0755 "${SOPS_FILE}" /usr/local/bin/sops
|
||||
sops --version --check-for-updates
|
||||
age --version
|
||||
sops --version --check-for-updates >| /root/.ciss/cdlb/log/sops.log
|
||||
age --version >| /root/.ciss/cdlb/log/age.log
|
||||
|
||||
rm -f "/tmp/${SOPS_FILE}"
|
||||
rm -f "/tmp/sops-${SOPS_VER}.checksums.txt"
|
||||
rm -f "/tmp/sops-${SOPS_VER}.checksums.pem"
|
||||
rm -f "/tmp/sops-${SOPS_VER}.checksums.sig"
|
||||
|
||||
umask 0077
|
||||
|
||||
mkdir -p /root/.config/sops/age
|
||||
|
||||
cat << 'EOF' >| /root/.config/sops/age/keys.txt
|
||||
{{ secrets.CISS_PHYS_AGE }}
|
||||
EOF
|
||||
|
||||
if grep -q '{{ secrets.' /root/.config/sops/age/keys.txt; then
|
||||
: >| /root/.config/sops/age/keys.txt
|
||||
fi
|
||||
|
||||
chmod 0400 /root/.config/sops/age/keys.txt
|
||||
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
|
||||
|
||||
@@ -13,8 +13,8 @@ set -Ceuo pipefail
|
||||
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
|
||||
|
||||
mkdir -p /root/.ciss/dlb/backup/update-motd.d
|
||||
cp -af /etc/update-motd.d/* /root/.ciss/dlb/backup/update-motd.d
|
||||
mkdir -p /root/.ciss/cdlb/backup/update-motd.d
|
||||
cp -af /etc/update-motd.d/* /root/.ciss/cdlb/backup/update-motd.d
|
||||
|
||||
cat << 'EOF' >| /etc/update-motd.d/10-uname
|
||||
#!/bin/sh
|
||||
|
||||
@@ -14,7 +14,7 @@ set -Ceuo pipefail
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
|
||||
|
||||
declare -a search_dirs=("/etc/ssl/certs" "/usr/local/share/ca-certificates" "/usr/share/ca-certificates" "/etc/letsencrypt")
|
||||
declare backup_dir="/root/.ciss/dlb/backup/certificates"
|
||||
declare backup_dir="/root/.ciss/cdlb/backup/certificates"
|
||||
declare current_date
|
||||
current_date=$(date +%s)
|
||||
declare -ax expired_certificates=()
|
||||
|
||||
@@ -13,8 +13,8 @@ set -Ceuo pipefail
|
||||
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
|
||||
|
||||
cp -u /etc/security/limits.conf /root/.ciss/dlb/backup/limits.conf.bak
|
||||
chmod 0644 /root/.ciss/dlb/backup/limits.conf.bak
|
||||
cp -u /etc/security/limits.conf /root/.ciss/cdlb/backup/limits.conf.bak
|
||||
chmod 0644 /root/.ciss/cdlb/backup/limits.conf.bak
|
||||
|
||||
grep -Eq '^[[:space:]]*\*[[:space:]]+soft[[:space:]]+core[[:space:]]+0[[:space:]]*$' /etc/security/limits.conf \
|
||||
|| sed -i -E '/^[[:space:]]*#?[[:space:]]*soft[[:space:]]+core[[:space:]]+0[[:space:]]*$/ i\* soft core 0' /etc/security/limits.conf
|
||||
|
||||
@@ -15,14 +15,14 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
|
||||
|
||||
cd /root
|
||||
|
||||
cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/dlb/backup/fail2ban.conf.bak
|
||||
chmod 0400 /root/.ciss/dlb/backup/fail2ban.conf.bak
|
||||
cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/cdlb/backup/fail2ban.conf.bak
|
||||
chmod 0400 /root/.ciss/cdlb/backup/fail2ban.conf.bak
|
||||
|
||||
### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
|
||||
sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
|
||||
|
||||
mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/dlb/backup/defaults-debian.conf.bak
|
||||
chmod 0400 /root/.ciss/dlb/backup/defaults-debian.conf.bak
|
||||
mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/cdlb/backup/defaults-debian.conf.bak
|
||||
chmod 0400 /root/.ciss/cdlb/backup/defaults-debian.conf.bak
|
||||
|
||||
cat << EOF >| /etc/fail2ban/jail.d/ciss-default.conf
|
||||
# SPDX-Version: 3.0
|
||||
@@ -205,7 +205,7 @@ EOF
|
||||
###########################################################################################
|
||||
# Remarks: Logrotate must be updated either #
|
||||
###########################################################################################
|
||||
cp -a /etc/logrotate.d/fail2ban /root/.ciss/dlb/backup/fail2ban_logrotate.bak
|
||||
cp -a /etc/logrotate.d/fail2ban /root/.ciss/cdlb/backup/fail2ban_logrotate.bak
|
||||
cat << EOF >| /etc/logrotate.d/fail2ban
|
||||
/var/log/fail2ban/fail2ban.log {
|
||||
daily
|
||||
|
||||
@@ -23,7 +23,7 @@ usbguard generate-policy >> /tmp/rules.conf
|
||||
|
||||
if [[ -f /etc/usbguard/rules.conf && -s /etc/usbguard/rules.conf ]]; then
|
||||
|
||||
mv /etc/usbguard/rules.conf /root/.ciss/dlb/backup/usbguard_rules.conf.bak
|
||||
mv /etc/usbguard/rules.conf /root/.ciss/cdlb/backup/usbguard_rules.conf.bak
|
||||
cp -a /tmp/rules.conf /etc/usbguard/rules.conf
|
||||
chmod 0600 /etc/usbguard/rules.conf
|
||||
|
||||
@@ -35,7 +35,7 @@ else
|
||||
|
||||
fi
|
||||
|
||||
cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/dlb/backup/usbguard-daemon.conf.bak
|
||||
cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/cdlb/backup/usbguard-daemon.conf.bak
|
||||
#sed -i "s/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/" /etc/usbguard/usbguard-daemon.conf
|
||||
|
||||
rm -f /tmp/rules.conf
|
||||
|
||||
@@ -18,8 +18,8 @@ chmod 0644 /etc/issue
|
||||
chmod 0644 /etc/issue.net
|
||||
|
||||
if [[ -f /etc/motd ]]; then
|
||||
cp -a /etc/motd /root/.ciss/dlb/backup/motd.bak
|
||||
chmod 0644 /root/.ciss/dlb/backup/motd.bak
|
||||
cp -a /etc/motd /root/.ciss/cdlb/backup/motd.bak
|
||||
chmod 0644 /root/.ciss/cdlb/backup/motd.bak
|
||||
rm /etc/motd
|
||||
fi
|
||||
|
||||
@@ -36,7 +36,7 @@ cat << EOF >| /etc/motd
|
||||
|
||||
EOF
|
||||
|
||||
cp -a /etc/login.defs /root/.ciss/dlb/backup/login.defs.bak
|
||||
cp -a /etc/login.defs /root/.ciss/cdlb/backup/login.defs.bak
|
||||
|
||||
sed -ri 's/^(#?LOGIN_TIMEOUT)[[:space:]]+[0-9]+/\1 180/' /etc/login.defs
|
||||
sed -i 's/UMASK 022/UMASK 077/' /etc/login.defs
|
||||
|
||||
@@ -17,7 +17,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
|
||||
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
|
||||
apt-get install -y aide > /dev/null 2>&1
|
||||
|
||||
cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak
|
||||
cp -u /etc/aide/aide.conf /root/.ciss/cdlb/backup/aide.conf.bak
|
||||
sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf
|
||||
|
||||
if aideinit > /dev/null 2>&1; then
|
||||
|
||||
@@ -20,8 +20,8 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
|
||||
# shellcheck disable=SC2155
|
||||
declare -r VAR_DATE="$(date +%F)"
|
||||
|
||||
cp -a /etc/security/pwquality.conf /root/.ciss/dlb/backup/pwquality.conf.bak
|
||||
chmod 0644 /root/.ciss/dlb/backup/pwquality.conf.bak
|
||||
cp -a /etc/security/pwquality.conf /root/.ciss/cdlb/backup/pwquality.conf.bak
|
||||
chmod 0644 /root/.ciss/cdlb/backup/pwquality.conf.bak
|
||||
|
||||
cat << EOF >| /etc/security/pwquality.conf
|
||||
# SPDX-Version: 3.0
|
||||
|
||||
@@ -29,9 +29,9 @@ cd /root
|
||||
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
|
||||
apt-get install -y auditd
|
||||
|
||||
cp -u /etc/audit/audit.rules /root/.ciss/dlb/backup/audit.rules.bak
|
||||
cp -u /etc/audit/auditd.conf /root/.ciss/dlb/backup/auditd.conf.bak
|
||||
cp -u /etc/audit/rules.d/audit.rules /root/.ciss/dlb/backup/rules_d_audit.rules.bak
|
||||
cp -u /etc/audit/audit.rules /root/.ciss/cdlb/backup/audit.rules.bak
|
||||
cp -u /etc/audit/auditd.conf /root/.ciss/cdlb/backup/auditd.conf.bak
|
||||
cp -u /etc/audit/rules.d/audit.rules /root/.ciss/cdlb/backup/rules_d_audit.rules.bak
|
||||
rm -rf /etc/audit/rules.d/audit.rules
|
||||
|
||||
############################################################### /etc/audit/rules.d/00-base-config.rules
|
||||
|
||||
@@ -19,8 +19,8 @@ cd /root
|
||||
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
|
||||
apt-get install -y --no-install-recommends debsums
|
||||
|
||||
cp -a /etc/default/debsums /root/.ciss/dlb/backup/debsums.bak
|
||||
chmod 0644 /root/.ciss/dlb/backup/debsums.bak
|
||||
cp -a /etc/default/debsums /root/.ciss/cdlb/backup/debsums.bak
|
||||
chmod 0644 /root/.ciss/cdlb/backup/debsums.bak
|
||||
sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums
|
||||
|
||||
if debsums -g > /dev/null 2>&1; then
|
||||
|
||||
@@ -16,7 +16,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
|
||||
# shellcheck disable=SC2155
|
||||
declare -r VAR_DATE="$(date +%F)"
|
||||
|
||||
mv /etc/network/interfaces /root/.ciss/dlb/backup/interfaces.chroot
|
||||
mv /etc/network/interfaces /root/.ciss/cdlb/backup/interfaces.chroot
|
||||
rm -f /etc/network/interfaces
|
||||
|
||||
cat << EOF >| /etc/network/interfaces
|
||||
|
||||
Reference in New Issue
Block a user